3 files changed, 4 insertions, 0 deletions

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 4e7edea..b47dce3 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
         $variable_variable = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){2,}?/  // concatenation of more than two `chr()`
         $concat = /(\$[^\n\r]+\.){5,}?/  // concatenation of more than 5 words
+        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
         $gif = /^GIF89/
 condition:
         any of them and not IsWhitelisted
diff --git a/php-malware-finder/samples/artificial/bypasses.php b/php-malware-finder/samples/artificial/bypasses.php
index fc1c447..9d849a4 100644
--- a/php-malware-finder/samples/artificial/bypasses.php
+++ b/php-malware-finder/samples/artificial/bypasses.php
@@ -3,3 +3,5 @@
 // https://rstforums.com/forum/topic/98500-php-malware-finder/?do=findComment&comment=615687
 print_r(call_user_func_array($_POST['functie'], array($_POST['argv'])));
 
+// https://github.com/nbs-system/php-malware-finder/commit/47d86bf92eb15fe65dd4efbc04d0004856e88ddd#commitcomment-16355734
+print_r($_POST['funct']($_POST['argv']));
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 93319a0..7566e89 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -76,5 +76,6 @@ run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
 
 run_test artificial/bypasses.php 'DodgyPhp'
 run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
+run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
 
 echo "[+] Congratz, the $CPT tests succeeded!"